CVE-2016-0763 – tomcat: security manager bypass via setGlobalContext()
https://notcve.org/view.php?id=CVE-2016-0763
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. El método setGlobalContext en org/apache/naming/factory/ResourceLinkFactory.java en Apache Tomcat 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.31 y 9.x en versiones anteriores a 9.0.0.M3 no considera si los que llaman a ResourceLinkFactory.setGlobalContext están autorizados, lo que permite a usuarios remotos autenticados eludir las restricciones de SecurityManager previstas y leer o escribir a datos de aplicación arbitrarios, o provocar una denegación de servicio (interrupción de aplicación), a través de una aplicación web que establece un contexto global manipulado. A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat.com/errata/RHSA-2016-2599.html http://rhn.redhat.com/errata/RHSA-2016-2807.html http://rhn.redhat.com/errata/RHSA-2016 • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •
CVE-2015-5345 – tomcat: directory disclosure
https://notcve.org/view.php?id=CVE-2015-5345
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. El componente Mapper en Apache Tomcat 6.x en versiones anteriores a 6.0.45, 7.x en versiones anteriores a 7.0.68, 8.x en versiones anteriores a 8.0.30, y 9.x en versiones anteriores a 9.0.0.M2 procesa redirecciones antes de considerar las restricciones y Filtros de seguridad, lo que permite a atacantes remotos determinar la existencia de un directorio a través de una URL que carece de un carácter / (barra) final. It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. • http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html http://marc.info/?l=bugtraq&m=145974991225029&w=2 http://packetstormsecurity.com/files/135892/Apache-Tomcat-Directory-Disclosure.html http://rhn.redhat.com/errata/RHSA-2016-1089.html http://rhn.redhat • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •
CVE-2016-2069 – kernel: race condition in the TLB flush logic
https://notcve.org/view.php?id=CVE-2016-2069
Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1 allows local users to gain privileges by triggering access to a paging structure by a different CPU. Condición de carrera en arch/x86/mm/tlb.c en el kernel de Linux en versiones anteriores a 4.4.1 permite a usuarios locales obtener privilegios desencadenando el acceso a una estructura de paginación por un CPU diferente. A flaw was discovered in the way the Linux kernel dealt with paging structures. When the kernel invalidated a paging structure that was not in use locally, it could, in principle, race against another CPU that is switching to a process that uses the paging structure in question. A local user could use a thread running with a stale cached virtual->physical translation to potentially escalate their privileges if the translation in question were writable and the physical page got reused for something critical (for example, a page table). • http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=71b3c126e61177eb693423f2e18a1914205b165e http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00094.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00045.html http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00038.html http://rhn.redhat.com/errata/RHSA-2016-2574.html http://rhn.redhat.com/errata/RHSA-2016-258 • CWE-266: Incorrect Privilege Assignment CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2016-1575 – Ubuntu 14.04/15.10 - User Namespace Overlayfs Xattr SetGID Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-1575
The overlayfs implementation in the Linux kernel through 4.5.2 does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory. La implementación de overlayfs en el kernel de Linux hasta la versión 4.5.2 no mantiene correctamente datos POSIX ACL xattr, lo que permite a usuarios locales obtener privilegos aprovechando un directorio con permiso de escritura de grupo setgid. • https://www.exploit-db.com/exploits/41762 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1575.html http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation http://www.openwall.com/lists/oss-security/2016/02/24/7 http://www.openwall.com/lists/oss-security/2021/10/18/1 https://launchpad.net/bugs/1534961 • CWE-269: Improper Privilege Management •
CVE-2016-1576 – Ubuntu 15.10 - 'USERNS ' Overlayfs Over Fuse Privilege Escalation
https://notcve.org/view.php?id=CVE-2016-1576
The overlayfs implementation in the Linux kernel through 4.5.2 does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an overlayfs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program. La implementación de overlayfs en el kernel de Linux hasta la versión 4.5.2 no restringe correctamente el espacio de nombres de montaje, lo que permite a usuarios locales obtener privilegos montando un sistema de archivos overlayfs sobre un sistema de archivos FUSE y luego ejecutando un programa setuid manipulado. • https://www.exploit-db.com/exploits/41763 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1576.html http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation http://www.openwall.com/lists/oss-security/2016/02/24/8 http://www.openwall.com/lists/oss-security/2021/10/18/1 https://bugs.launchpad.net/bugs/1535150 https://launchpadlibrarian.net/23530009 •